You are on page 1of 23

ISO/IEC 27018 Introduction

ISO/IEC 27017 Update

Dale Johnstone
26 January 2015
ISO/IEC 27018 – Introduction
• Published 1st August 2014
• Applicable to public cloud computing organizations acting as PII
• Provides Guidelines (should) based on ISO/IEC 27002
• Establishes commonly accepted control objectives, controls and
guidelines for implementing measures to protect Personally
Identifiable Information (PII)
• Used in accordance with the privacy principles in ISO/IEC 29100
• Considers regulatory requirements for the protection of PII which
might be applicable within the context of the information security
risk environment
• May also be relevant to organizations acting as PII controllers
• Not intended to cover additional obligations that PII controllers
may be subject to (i.e. additional PII protection legislation,
regulations and obligations)
ISO/IEC 27018 – Overview
Provides a Code of Practice to:
 Process personal information (PI) in accordance with the customer’s instructions
 Process PI for marketing or advertising purposes with the customer’s express consent
– such consent cannot be made a condition for receiving service
 Assist to comply when individuals assert their access rights
 Disclose information to law enforcement authorities only when legally bound to do so
 Disclose names of any sub-processors and the possible locations where personal
information may be processed prior to entering into a cloud services contract
 Assist cloud customers comply with notification obligations in event of a data breach
 Implement a policy for the return, transfer or disposal of personal data, i.e. when
service comes to an end
 Subject their services to independent information security reviews at scheduled
intervals (or when significant processing changes occur)
 Enter into confidentiality agreements with staff who have access to personal data and
provide appropriate staff training
ISO/IEC 27018 – 27002 Alignment
ISO/IEC 27018 – 27002 Alignment
ISO/IEC 27018 – 27002 Alignment
ISO/IEC 27018 – 27002 Alignment
ISO/IEC 27018 – 27002 Alignment
ISO/IEC 27018 – Extended Controls
ISO/IEC 27018 –
Public cloud PII processor should:
• (x 19)
• provide the cloud service customer with the means to
enable them to fulfil their obligation to facilitate the
exercise of PII principals’ rights to access, correct
and/or erase PII pertaining to them
• provide the cloud service customer with all relevant
information, in a timely fashion
• adhere to the relevant privacy principles set forth in
ISO/IEC 29100, where circumstances are determined
by the public cloud PII processor that the processing
method involves the collection and use of PII
• etc…
ISO/IEC 27018 –
Cloud service customer should:
• (x 4)
• ensure the public cloud PII processor’s
compliance with purpose specification and
limitation principles
• ensure that no PII is processed by the public
cloud PII processor or any of its sub-contractors
for further purposes independent of the
instructions of the cloud service customer
• ensure that the measures implemented by the
public cloud PII processor meet its obligations
ISO/IEC 27018 –
PII should:
• (x 12)
• not be processed for any purpose independent of
the instructions of the cloud service customer,
where processed under a contract
• ensure express consent is not be a condition of
receiving the service, where processed under a
• be recorded, including what PII has been
disclosed, to whom and at what time, where
disclosed to third parties
ISO/IEC 27018 –
Contract should:
• (x 15)
• specify that sub-contractors only be
commissioned on the basis of a consent that can
generally be given by the cloud service customer
at the beginning of the service
• specify how the public cloud PII processor will
provide the information necessary for the cloud
service customer to fulfil his obligation to notify
relevant authorities
• define the maximum delay in notification of a
data breach involving PII
ISO/IEC 27018 –
Information should:
• (x 4)
• cover the fact that sub-contracting is used and the
names of relevant subcontractors, but not any
business-specific details, where disclosed
• include the countries in which sub-contractors process
data and the means by which sub-contractors are
obliged to meet or exceed the obligations of the public
cloud PII processor, where disclosed
• under a non-disclosure agreement and/or on the
request of the cloud service customer, where public
disclosure of sub-contractor information is assessed to
increase security risk beyond acceptable limits, where
ISO/IEC 27018 –
Other should:
• Policy (x2)
• Procedure (x2)
• Information (x4)
• Temporary files and documents (x1)
• Portable physical media and device (x1)
• Hardcopy material (x1)
• User Profiles (x4)
• Disclosures (x1)
• If > 1 individual has access to stored PII (x1)
ISO/IEC 27017 – Update
• Guidelines for information security controls applicable to
the provision and use of cloud services
• Additional implementation guidance for relevant controls
specified in ISO/IEC 27002
• Additional controls with implementation guidance that
specifically relate to cloud services
• Provides controls and implementation guidance for both
cloud service providers and cloud service customers
• Structured similar to ISO/IEC 27002
• Includes clauses 5 to 18 of ISO/IEC 27002 by stating the
applicability of its texts at each clause and paragraph
• When objective with controls, or a is control needed in
addition to ISO/IEC 27002, they are given in Annex A: Cloud
Service Extended Control Set (normative)
ISO/IEC 27017 – 27002 Alignment
ISO/IEC 27017 – 27002 Alignment
ISO/IEC 27017 – Extended Controls
ISO/IEC 27017 – Update
• Draft International Standard (DIS) Stage of the
Development Lifecycle (January 2015)
• Next Meeting to Discuss DIS Voting and
Comments Scheduled for 1st Week of May 2015
• Expected to be Finalised and Published as an
International Standard in October 2015